Identity thieves knew everything about him — and drained his bank accounts in hours

We’re all generally aware, in the abstract sense of lightning strikes or rabid bats, that identity thieves can hit us. It might happen, one day. But we’re sure the odds of it happening, like slipping in the bath tub, are on our side.

Phil McGrane now knows that’s false security. And it’s got him rattled. In a couple of hours last Thursday, thieves in Illinois stole his online identity and drained Phil and Angella McGrane’s multiple bank accounts with a few thousand each.

“There’s this sense that people have, that this could happen to anybody,” McGrane said. “But we now know as a matter of fact that someone has my Social Security number. That’s not a number I can go change. Or my date of birth. Or Angella’s date of birth. That information is now out there.

“It’s not hypothetically out there, as in ‘You may have been affected by this.’ We know for a fact that it is out there and it forces us to think of security differently and our personally identifying information as not being as personal as it once was.”

How did it happen? The thieves didn’t know or hack his password. They knew so much about him that they were able to create, essentially, a duplicate identity. And they had the bravado to call his bank, from a 208 number, to impersonate him.

“They were able to provide my name, my address, my Social Security number, my wife’s name, her date of birth,” he said. “They were able to provide sufficient identifying information over the phone to reset the password to my online account.”

Once they accessed his online accounts, they reset the password and PIN on his debit card, and transferred money from the six accounts to the debit-card account. They left $23 or $28 in each account. They set up a realistic-sounding Gmail account so email communications would go there, not to Phil.

You may not know Phil McGrane, but you know of him. He’s the chief deputy Ada County clerk who dreamed up the mobile voting booth last year – food truck voting, as he calls it. He was a Republican candidate for secretary of state. He believes in transparency, and he’s practicing what he preaches by sharing his story on Facebook and with the Statesman.

Last Thursday was a typically busy afternoon, with McGrane trying to wrap up work and get to Boise State to pick up tickets to that night’s Bronco game. He noticed a text alert from his bank, so he called the bank to challenge the charge, and tried to get on with work and life.

When he checked his online account, his password and PIN didn’t work. “I reset my password to my old password,” he said. “Which, in hindsight, feels really stupid, right?”

He picked up the football tickets, but got to thinking about that old password. So back at the office, he reset it to a new, better password. But the bank, seeing multiple password changes, locked his account.

That was good, because McGrane called and got a super-helpful woman at USAA who walked him through what had happened. He realized he’d gotten previous alerts as well. But in the hour or two between the alerts and the response, the thieves had done their damage: multiple charges at Walmarts and Bank of America ATMs in Illinois, mostly $800 but ranging from $700 to $1,000.

“Based on the behavior, it does seem like these are people who knew exactly what they are doing,” McGrane said.

The bank helped him update his security, including a more complicated, multiphase process to log in to his account.

McGrane doesn’t feel he was lackadaisical before, and he’s glad that he’d signed up for alerts on his cards and that he had USAA, a bank that worked with him to make it all right. Like many of us, he and Angella had been reading about the Equifax breach and talking about what to do to secure their accounts and their credit. “Certainly we’ve learned since there’s a lot more we could be doing,” he said. “This is like a 2-by-4 right upside the head.”

They’ve signed up for credit monitoring and are in the process of freezing their credit histories. They’re considering closing those breached accounts and creating new ones. They’ve been advised to work with the IRS to ensure that thieves can’t file a false tax return (to get a refund).

But he’s not confident that even the best security can ultimately stop a smart, determined thief who has “the type and nature of information they had.” And he worries that someone who burrowed so deeply into his accounts may have gotten even more information, including identifying information on his children.

Does he blame this summer’s Equifax breach? “They knew I banked with USAA, which would be information through my credit history,” he said. “I have trouble believing it’s not part of some breach somewhere.”

His message to others: Institute better security now. Get alerts on your accounts. Do your homework. He recommends a practical guide published by The New York Times. And don’t wait.

“In the end of the day, we are fine,” he said. “For me, sharing this information is to help other people avoid similar circumstances.”

McGrane is now smarter and, he hopes, safer. In addition to the lost peace of mind, there was one other big cost to spending an entire evening on the phone with bank security assistants.